Support for RFC 4474 in Sailfin Application Server

Introduction

           To learn what Identity authentication/RFC 4474 is all about read [1] and [2].

JSR 289 :

sip.xml has following additional elements under login-config.

<identity-assertion>

          <identity-assertion-scheme>Identity</identity-assertion-scheme>

          <identity-assertion-support></identity-assertion-support>

          <!-- SUPPORTED/REQUIRED are supported values for identity-assertion-support -->

</identity-assertion>

As per JSR 289 sailfin supports Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

  a) if Identity header is present then process it.

             b) if Identity header is not present then apply the authentication method configured in auth-method element.         

<login-config>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>SUPPORTED</identity-assertion-support>

          </identity-assertion>

</login-config>


                                or


<login-config>

          <auth-method>DIGEST</auth-method>

          <realm-name>realmperapp</realm-name>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>REQUIRED</identity-assertion-support>

         </identity-assertion>

                 </login-config>


Steps to configure Identity authentication module :

We will break the steps to configure Identity authentication module into following two steps,

  1. Configuring security realm

  2. Configuring security for SIP application

  3. Add root certificate (Certificate Authority) of your public key used in the Identity message into cacerts.jks

Configuring Security Realm :

Identity authentication module, will need a security realm with login-context value as “assertedRealm”. Follow below mentioned steps to configure the realm..

Steps :

  • Open sailfin administration console, default url will be http://localhost:4848

  • Click on Configuration tab

  • Click on Security

  • Click on Realms

  • Select new tab to create a new Realm, see figure

  • Enter the realm name

  • Select JDBCRealm as classname

  • Enter “assertedRealm” for JAAS Context

  • Enter the JDBC resource you want to use in JNDI column

rest of the values as per your database table structure, please refer to figures attached at the end of this blog.

Configuring security for SIP application :

To enable authentication and authorization of requests to an application, we need to configure following elements in sip.xml and sun-sip.xml

Elements in sip.xml (element are similar to web.xml except minor changes)

             <security-constraint>

             <login-config>

             <security-role>

please read the documentation / schema file to learn more about above elements, a sample configuration shown below means the following REGISTER and INVITE methods to SecurityTestServlet can be invoked by users with manager role and if the request MUST have Identity headers for authentication and authorization purpose.

             <security-constraint>

                     <display-name>UserConstraint</display-name>

                     <resource-collection>

                           <servlet-name>SecurityTestServlet</servlet-name>

                           <sip-method>REGISTER</sip-method>

                           <sip-method>INVITE</sip-method>

                     </resource-collection>

                     <auth-constraint>

                           <description>authentication-configuration</description>

                           <role-name>manager</role-name>

                     </auth-constraint>

             </security-constraint>

             <login-config>

                   <auth-method>DIGEST</auth-method>

                   <realm-name>realmperapp</realm-name>

                   <identity-assertion>

                          <identity-assertion-scheme>Identity</identity-assertion-scheme>

                          <identity-assertion-support>REQUIRED</identity-assertion-support>

                   </identity-assertion>

             </login-config>

             <security-role>

                    <description/>

                    <role-name>manager</role-name>

             </security-role>

Elements in sun-sip.xml

property “trust-auth-realm-ref

elementsecurity-role-mapping”

security-role-mapping element is same as security-role-mapping element in sun-web.xml , read this trus-auth-realm-ref refers to the Identity realm configured in domain.xml.

<sun-sip-app error-url="">

         <jsp-config>

              <property name="classdebuginfo" value="true">

                     <description>Enable debug info compilation in the generated servlet class</description>

              </property>

             <property name="mappedfile" value="true">

                   <description>Maintain a one-to-one correspondence between static content and the generated servlet class' java code</description>

               </property>

        </jsp-config>

        <property name="trust-auth-realm-ref" value="asserted_realm"/>

        <security-role-mapping>

                   <role-name>manager</role-name>

                   <principal-name>venu</principal-name>

                   <principal-name>jagan</principal-name>

                   <group-name>Management</group-name>

        </security-role-mapping>

 </sun-sip-app>


[1]http://www.tech-invite.com/Ti-sec-identity.html

[2]http://www.ietf.org/rfc/rfc4474.txt

[3]http://docs.sun.com/app/docs/doc/819-3669/bncbj?l=en&a=view&q=security-constraint

[4]

[5]

[6]

[7]

[8]

[9]

Posted on: Nov 28, 2008

Posted by: venu

Category: Java

Permanent link to this entry

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by venu